Didn't see this earlier for some reason ...
Holger Zuleger <holger.zule...@hznet.de> 2013-01-10 23:35:

Hi Brian,

Advertising

I've been exploring various dnssec key management tools out there of
late and ran across this one, which I think is my favorite so far.

sounds good.

I say "key management", since originally, my intention was just to find
something that would help me in doing the key rollover and lifetime
selection and setting for the standard bind9 dnssec-keygen tool, dump
those all in the same directory (the key repository if you will) and
then I was just going to use dnssec-signzone -S "smart signing" to have
it use the timestamp values in those keys to figure out which DNSKEY
entries and DS entries to include.

I didn't checked it myself, but maybe DSKM [1] fulfills your needs.

Thanks for the tip. This does look interesting, but so far I think zkt
is still a better match for our environment.

...

It seems that zkt can do some of the "smart signing" (inclusion of
appropriate ds and dnskey records) as well, though requires a different
zone layout for me to be able to use it.

You have to $INCLUDE dnskey.db, and if you like to use a soa serial
format of yyymmddnnn, then the SOA record needs a special layout.

Yeah, all of that was fine. Just the directory layout, but that was
easy enough to change. The rest has been in tracking down other
problems with things like cidr domains and a careful dance between full
paths and relative paths.

My question was whether the two methods are compatible (looks to be not
since the comment headers are different and the zkt-signer.c source
specifically includes the -C compatibility option for newer
dnssec-keygen bind9 tools), OR if there's any intention to make zkt make
use of the smart signing stuff and that key format in the future?

First of all, yes you are right. ZKT was implemented at a time as
BIND was not able to sign the zone automatically.
With BIND 9.7 and moreover since the very cool inline signing feature
of BIND 9.9, the resigning of the zone should be done by BIND itself.

I am thinking about a new ZKT version with the primary use of key
rollover, but it requires a lot of re-coding and, to be honest, I
don't have the resources to do it right now.